3D face mapping as a true differentiator in biometric liveness detection

The rapid global adoption of biometrics for identification and access management by organisations of all sizes clearly indicates they are here to stay. Yet, until 3D face authentication technology became available in late 2017, 2D face recognition that matches two images was all that could be obtainable. 2D face recognition vendors promised security but without any proper third-party testing available, it was left to each organisation to perform their own due diligence.

The main issue is the vast majority of 2D liveness detection deployments on the market today can be easily fooled. Many so-called liveness checks are not secure. Asking a user to blink, smile or nod their head can all be replicated using photos, video playbacks, masks and even AI models. These methods can simply bypass virtually all liveness check systems, especially when it comes to the digital onboarding process.

In today’s social media world, how to defeat a high-value system disseminates via dark web forums, creating a fraud nightmare for any company that has implemented sub-par liveness technology.

The advantages of 3D face mapping technology in fighting fraud

Without the sophistication of new 3D face-mapping technology, the 2D face recognition solutions have rarely seen any large-scale deployments, and those that have gone live - have still been plagued by fraud. A number of new digital only banks are suffering large-scale fraud attacks on a daily basis because fraudsters have found it far too easy to circumvent these systems with fake passports and stolen photos. Identity theft is still the largest fraud practice and it is very hard to prove that an ID document captured via a camera is 100% genuine, so the only thing left is to rely on is capturing a person’s face. That is where the problem lies for checking whether a person is truly real.

3D face-mapping contains 100 times more data points than a 2D photo, and are required to accurately recognise the correct user’s face while concurrently verifying their human liveness. This liveness check is especially critical in unsupervised authentication scenarios such as confidential account access management and high-value mobile transactions. It must be proven in real-time that the person requesting access is actually the correct user, not just a representation.

The biometrics industry faces a reality check and a major challenge because many vendors have not fully solved the spoofing issues as they claim. Many software providers have not been independently verified and thoroughly tested by third party accredited testing labs such as NIST or iBeta. Moreover, until the NIST-certified, ISO-guided iBeta test, there was no recognised standard for performance claims and no transparency.All buyers should be aware of these vulnerabilities and demand vendors have the viability of their anti-spoofing performance tested by third parties before they use them to secure their applications. Without a validated ISO 30107-3 certification against cooperative user fraud, a system is not secure. It is not all about matching algorithms either, because there are minimal differences between the top and bottom performance levels. It is mainly about the number of data points and signals that can be attained during the capture process. That is where a 3D face map is stronger and nearly impossible to break.

Key distinctions to address

Some businesses are often unable to distinguish a modified recognition product from a true authentication solution, despite fundamental differences between the two. Some vendors are all too willing to overlook this which leaves customers and users with a false sense of security and unknown levels of risk.

However, biometrics development has begun to gain momentum, particularly for AI-driven applications, and significant gains in usability and security performance have not only raised the bar, but have begun to expose critical weaknesses in many of the legacy solutions in use today.

Businesses seeking biometric authentication technologies are rarely subject-matter experts, and without recognised standards and independent third-party verification they have little to go on when attempting to assess what biometric solutions will provide high-performance, long-term security for their particular use cases.

The terms “recognition” and “authentication” are often used interchangeably by those not familiar with the differences. Authentication identifies a correct user through image-matching, but also concurrently verifies them as a real, live human. This has only recently been made possible by significant, AI-driven abilities that can observe numerous living human traits and characteristics in real-time and concurrently.

Systems that are sanctioned by a third-party certification have become vitally important nowadays because fraudsters are increasingly getting more sophisticated themselves in defeating authentication processes. Today, many biometric vendors have claimed they have solved spoofing or penetration attacks, but these claims are not backed up by any independent third party testing accreditations.

The crucial role of biometrics in payments

Biometric technology is now playing a significant role in payments. Verifying all transactions in a two-factor process now falls under the remit of Strong Customer Authentication (SCA) within the scope of PSD2. PSD2 is specifically designed to make payments more secure. However, both users and businesses alike will need to trust biometrics in the SCA process. If a biometric modality can be easily spoofed, then that could lead to a serious breach of the regulations, fines and a damaged brand reputation.

The deadline for compliance with SCA is set for 14th September, 2019. If banks and ecommerce operators cannot rely on biometrics being as robust and unbreakable as possible, particularly with regard to high risk transactions, widespread adoption could hinder the whole biometrics industry if there are flaws in the technology which of course fraudsters will exploit.

About Steve Cook

Steve Cook is an independent biometrics and fintech consultant, helping banks, ecommerce enterprises and fintech startups to navigate the complex world of biometrics. He advises financial institutions regarding their deployment of biometric authentication and digital identity strategies; assisting in the process of vendor selection, biometric modalities and types of solutions. Steve has over six years’ experience in the biometrics industry previously with Daon and Facebanx. He now operates his own consultancy business Biometrics for eCommerce and he is currently providing services to a fintech startup FaceTec as well as a major European bank.